I need some help understanding how to properly secure a Web App that is based on using an Angular JS and Semantic UI front-end and a Web API C# backend using IIS on Windows Server 2012 R2 sitting in an Active Directory based Windows domain environment (e.g. corporate).
I would like to understand how to write front-end Web Apps that can talk to an IIS hosted Web API and be authenticated using a username and password which links into active directory. In other words users should be able to use the same Windows username and password for the web Apps as they do internally on the intranet and on their Windows computers. However the Web API will be exposed on a public URL.
I've been doing C# for a long time and I've recently started learning Web API and Angular JS. I've worked with JQuery before and PHP, but not so much with ASP.net.
I have read about topics like Individual Authentication, Organisational Authentication, Windows Authentication or Basic Authentication. I read a bit about OAuth2 and about using Tokens and about OWIN. It all made me a bit confused, because there isn’t a good example out there about web API security in a corporate AD environment.
I might have multiple web apps each with their own specific URL paths to access the CRUD methods of the web API, however the user should only need to login once and then they will have access to all the different parts of the Web API. I also don’t know how to then best handle authorization to allow different users to have different permission levels. How do I control this for different parts of the API and give some users access to certain methods? Can this be achieved with the AD or best to handle it by using my own user DB with permission settings where the user’s detail are copies from the AD.
With all this I mind I would like to achieve a simple angular js and Semantic UI front end login form and Web API back end template which allows me to login to a sample web app using the username and password validated against an AD environment. It should also allow me to logout.